about summary refs log tree commit diff
path: root/nixos/modules/services/networking
diff options
context:
space:
mode:
authorEelco Dolstra <eelco.dolstra@logicblox.com>2014-04-19 23:02:59 +0200
committerEelco Dolstra <eelco.dolstra@logicblox.com>2014-04-19 23:02:59 +0200
commit0a256cc0ee45f3766e68ec29b03a50731ca64ae0 (patch)
tree50bae07f59b6e864578b9801f173683558242637 /nixos/modules/services/networking
parent4fb50f071f18279048bfd67267146aaec379e01d (diff)
downloadnixlib-0a256cc0ee45f3766e68ec29b03a50731ca64ae0.tar
nixlib-0a256cc0ee45f3766e68ec29b03a50731ca64ae0.tar.gz
nixlib-0a256cc0ee45f3766e68ec29b03a50731ca64ae0.tar.bz2
nixlib-0a256cc0ee45f3766e68ec29b03a50731ca64ae0.tar.lz
nixlib-0a256cc0ee45f3766e68ec29b03a50731ca64ae0.tar.xz
nixlib-0a256cc0ee45f3766e68ec29b03a50731ca64ae0.tar.zst
nixlib-0a256cc0ee45f3766e68ec29b03a50731ca64ae0.zip
Firewall: Only start if we have CAP_NET_ADMIN
Diffstat (limited to 'nixos/modules/services/networking')
-rw-r--r--nixos/modules/services/networking/firewall.nix17


1 files changed, 11 insertions, 6 deletions
diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix
index e604ba23b87f..42914bfe5d62 100644
--- a/nixos/modules/services/networking/firewall.nix
+++ b/nixos/modules/services/networking/firewall.nix
@@ -18,8 +18,6 @@
 
 */
 
-
-
 { config, lib, pkgs, ... }:
 
 with lib;
@@ -266,16 +264,23 @@ in
                      message = "This kernel does not support disabling conntrack helpers"; }
                  ];
 
-    jobs.firewall =
+    systemd.services.firewall =
       { description = "Firewall";
 
-        startOn = "started network-interfaces";
+        wantedBy = [ "network.target" ];
+        after = [ "network-interfaces.target" "systemd-modules-load.service" ];
 
         path = [ pkgs.iptables ];
 
-        after = [ "systemd-modules-load.service" ];
+        # FIXME: this module may also try to load kernel modules, but
+        # containers don't have CAP_SYS_MODULE. So the host system had
+        # better have all necessary modules already loaded.
+        unitConfig.ConditionCapability = "CAP_NET_ADMIN";
+
+        serviceConfig.Type = "oneshot";
+        serviceConfig.RemainAfterExit = true;
 
-        preStart =
+        script =
           ''
             ${helpers}
 

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-08-05 02:27:01 +0000